12/08/05 - Release 0.1
I had the need to setup a squid server to bring up a ssh tunnel to another squid server "on demand", that means "bring up
the connection only when a client want to go there, and bring it down 30 minutes after last request came".

After one day of digging, coding and beer, this is what I've done; probably is not perfect and could be improved, but
"It Just Works (TM)". :)

Configure the ondemandssh.pl script according to your settings:
1) <YOURREMOTELOGINHERE> is the username you have on the remote server
2) <REMOTEPORTHERE> is the port on which the remote ssh server listens to (usally 22)
3) <LOCALIPHERE> is your local ip address
4) <REMOTESQUIDIPHERE> is the ip address of the remote squid server
5) <REMOTESQUIDPORTHERE> is the port on which the remote squid listens to
6) <REMOTEHOSTHERE> is the (public) ip addresso of the remote ssh server
7) <YOURRSAKEYHERE> is the path to your RSA key

So, assuming you have remote userid "squid", the remote ssh server listens to port 22, your local ip is 10.10.10.10, the remote squid ip:port is
192.168.1.10:3128, the remote ssh server has the ip address 212.110.120.30 and the path to you RSA key is /home/staff/rsa, your ssh line would be

This means that the tunnel is working. That response comes from the remote squid.
Assuming the url you want to trigger the ssh tunnel is, let's say, "http://intranet.example.com", change following lines on the perl script:

To test if the script works correctly, open a consoles and launch the script:

$ ./ondemandssh.pl
http://intranet.example.com(wait some seconds and the following line should appear)
302:http://intranet.example.com

If you look a "ps ax" you'll probably see that the ssh tunnel has been brought up. If not... well... check permissions and things like that.. :)
Now edit the "vpncheck" script. This is much simpler, the only parameter you have to change is <YOURREMOTELOGINHERE>. Change it to your remote userid (in
our example "squid") and install it on your crontab with the following line:

* * * * * /bin/vpncheck 2&>1 /dev/null

"vpncheck" works checking every minute the last access time of "/tmp/vpnactive" file. This file is being touched everytime a request for the intranet comes to the perl script.
After 30 minutes of no intranet access, the ssh tunnel is killed.

Now it's time to configure squid. Since this is not "Configuring squid for dummies" :) I'll show you only the relevant lines you need to change/add to your squid.conf file:

As you probably see, I'm doing extra authorization checks. In this specific case, before letting someone go to http://intranet.example.com, I check if that
username is part of the AD group "IntranetAuthorized". Integration with AD domains and NTLM authentication are not covered in this HOWTO, but you can find lot
of informations around. (hint: google)

I hope this will help you as much as it helped me :) If you have questions, please let me know.

DISCLAIMER

No liability for the contents of this document can be accepted. Use the concepts, examples and other content at your own
risk. There may be errors and inaccuracies that may damage
your system. Proceed with caution, and although this is highly unlikely, the author does not and can not take any
responsibility for any damage to your system that may occur as a direct or indirect result of information that is
contained within this document. You are strongly recommended to make a backup of your system before proceed and
adhere to the practice of backing up at regular intervals.